Report a Vulnerability

The F5 Security Incident Response Team (F5 SIRT) has an email alias that makes it easy to report potential security vulnerabilities.

• If you’re an F5 customer with an active support contract, please contact F5 Technical Support.

• If you aren’t an F5 customer, please report any potential or current instances of security vulnerabilities with any F5 product to the F5 Security Incident Response Team at F5SIRT@F5.com.

When SHOULDN’T I email F5SIRT@F5.com?

  • When you need technical assistance (for example "how do I configure my BIG-IP Local Traffic Manager (LTM), Application Security Manager (ASM), Application Firewall Manager").
  • When you’re notifying F5 about vulnerabilities that are public knowledge on AskF5.com or that you’ve learned about via a Security mailing list.
  • When you’re asking for help installing a release or a patch that’s been released because of a security advisory.
  • When you’re asking about non-security-related issues.

In any of these situations, please contact our technical support team first. If our technical support team recognizes a security issue, they’ll flag and escalate it to the F5 Security Incident Response Team.

 


To report a security issue to F5 Networks, please use the following PGP key to ensure secure communication.

To send an encrypted message to F5, use the F5 SIRT public PGP key, which is available on multiple public key servers.

 


Ways to receive security vulnerability updates from us.

F5 doesn’t provide advance notifications to specific recipients. We alert all customers at the same time via our security mailing list. Security patches and advisories are freely available from AskF5.

You can stay connected and receive the latest security information from F5 in the way that works best for you:

 


Overview of the F5 security vulnerability response policy.

https://support.f5.com/csp/article/K4602